Unable to view OAB and OOF via Outlook Anywhere published through TMG/ISA

This post is about a problem where Outlook was working fine through TMG publishing rule, however when TMG Admin tried to access OAB and OOF through Outlook he got an error. To bypass Outlook he tried to access https://mail.contoso.com/ews/exchange.asmx and got 403. The 403 was coming from Exchange vdir /EWS/, here an example of the header:

Resolution: after some investigation we notice that the /EWS has anonymous on it (/EWS vdir on Exchange 2007 doesn't have anonymous by default), after disabling anonymous and leave only Basic (to match with the delegation) it worked.

Important points before adopting this resolution:

While working on this issue with the Exchange folks they warned me about this action (disabling anonymous for /EWS on Exchange 2010) and they told me that:

“There are some issues if you disable anonymous on /EWS/ vidr for Exchange 2010. Anonymous is enabled on the virtual directory because EWS uses ws-security for federating calendars and free/busy across organizations for the new calendar sharing feature. Federation occurs via the ws-security protocol, which authenticates via SOAP <wssecurity> header rather than an HTTP authentication header. IIS must let such requests go through, after which WCF (upon which EWS is built) will properly authenticate them - in other words the "anonymous" IIS setting does not allow anonymous requests to get through to EWS. Turning off anonymous has some side effects, namely that cross-organization (federated) calendar sharing breaks as does federated mailbox migration.”

Having those considerations in mind, what you can do in TMG to overcome that without disabling anonymous is:

Use Exchange Publishing Wizard to create a new rule, remove all vdir except /ews.

Set this rule to direct authentication

Order this rule to higher than the original Exchange Publishing Rule

In the original rule (the one that publishes Outlook Anywhere) remove /ews/ path